Jump to content

Windows XP Recovery & Re-Direct


Recommended Posts

First noticed XP Recovery infection and attempted to fix with Malwarebytes, Super antiSpy and Hitman. Also ran Unhide.exe to get back app access. Most programs are back, but am still missing Windows>Accessories>System Tools and many others.

Highjacked system will not allow proper install and running of AVIR.

Firefox, IE, Safari searches all redirecting. Looks like piggybacked infections.

Thank you in advance for your help!!

Following is MAM log

www.malwarebytes.org

Database version: 6878

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

6/17/2011 12:16:49 PM

mbam-log-2011-06-17 (12-16-49).txt

Scan type: Quick scan

Objects scanned: 172331

Time elapsed: 19 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\User one\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

DDS.txt:

.

DDS (Ver_2011-06-12.02) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21

Run by User one at 10:04:17 on 2011-06-17

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1200 [GMT -4:00]

.

AV: CA Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}

AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: CA Personal Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\lxczcoms.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\WINDOWS\system32\mdmcls32.exe

C:\WINDOWS\system32\svcprs32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

C:\Program Files\CA\CA Internet Security Suite\casc.exe

C:\WINDOWS\system32\MSTMON_S.EXE

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

C:\Program Files\Lexmark 1200 Series\lxczbmon.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: CA Anti-Phishing Toolbar Helper: {45011cf5-e4a9-4f13-9093-f30a784eb9b2} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: CA Anti-Phishing Toolbar: {0123b506-0ad9-43aa-b0cf-916c122ad4c5} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll

TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe

mRun: [sigmatelSysTrayApp] sttray.exe

mRun: [intelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY

mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"

mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl

mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe

mRun: [KONICA MINOLTA magicolor 2400W STD] c:\windows\system32\MSTMON_S.EXE STARTUP

mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup

mRun: [Corel File Shell Monitor] c:\program files\corel\corel mediaone\CorelIOMonitor.exe

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"

mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\useron~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: c:\windows\system32\winsflt.dll

LSP: c:\windows\system32\VetRedir.dll

Trusted Zone: turbotax.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211185305437

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{38EF28CB-69F3-48BB-82B6-3BD71C9BFE72} : DhcpNameServer = 192.168.0.1

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: LMIinit - LMIinit.dll

Notify: PFW - UmxWnp.Dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 relog_ap

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\user one\application data\mozilla\firefox\profiles\rzm01mev.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\firefox\components\CAFxToolBar.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

.

R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2010-9-17 135248]

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2010-5-3 108112]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-16 11608]

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]

R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2010-9-24 61008]

R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2010-9-24 115792]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-16 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-16 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-16 61960]

R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2010-10-28 206152]

R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2010-6-23 212992]

R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2010-6-23 206160]

R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2010-9-24 146000]

R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2010-9-24 61008]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-4-1 47640]

R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]

R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2010-8-24 740160]

R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2010-9-17 301648]

R2 WinExtManager;WinSock Extention Manager;c:\windows\system32\mdmcls32.exe [2008-10-2 2347760]

R2 WinSvchostManager;WinSock Svchost Manager;c:\windows\system32\svcprs32.exe [2008-10-2 1377008]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]

S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]

S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-06-16 19:07:56 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-16 19:07:55 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-06-16 19:07:01 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro

2011-06-16 19:00:53 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-16 19:00:52 -------- d-----w- c:\program files\Avira

2011-06-16 19:00:52 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-06-15 00:48:13 -------- d-----w- c:\documents and settings\user one\application data\Malwarebytes

2011-06-15 00:48:04 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-15 00:48:03 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-06-15 00:48:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-14 23:57:37 -------- d-----w- c:\documents and settings\user one\application data\SUPERAntiSpyware.com

2011-06-14 23:57:37 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-06-14 23:57:28 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-06-14 23:15:55 -------- d-----w- C:\sh4ldr

2011-06-14 23:15:55 -------- d-----w- c:\program files\Enigma Software Group

2011-06-14 23:15:09 -------- d-----w- c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP

2011-06-13 19:17:31 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-06-13 19:17:31 -------- d-----w- c:\windows\system32\wbem\Repository

2011-06-13 16:07:22 -------- d-----w- C:\ProWin10

2011-06-10 13:25:57 -------- d-----w- c:\documents and settings\user one\application data\VirtualStore

2011-05-27 12:46:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-06-15 02:55:37 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-05-30 14:46:52 2828 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys

.

============= FINISH: 10:04:54.14 ===============

Thank you again!

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Hi - Thanks for the help!

Following is the MBAM log and the DDS report. My attempts to run Combofix have been unsuccessful. First was 'unable to download iexplore.exe' next, it would freeze at output to c:\32788R22FWJFW, final is that it cannot run with CA Antivirus installed, although I had run the uninstall. Now all attempts to uninstall CA software result in an error message 'Uninstall Process cannot complete -please contact support' Their Mumbai support team is, well.. nevermind.

What would you have me do? - here are the logs / reports

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6904

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

6/20/2011 4:38:55 PM

mbam-log-2011-06-20 (16-38-55).txt

Scan type: Quick scan

Objects scanned: 170569

Time elapsed: 22 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-06-12.02) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21

Run by User one at 18:52:21 on 2011-06-20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1535 [GMT -4:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: CA Personal Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\lxczcoms.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\MSTMON_S.EXE

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

C:\Program Files\Lexmark 1200 Series\lxczbmon.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File

TB: {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [sigmatelSysTrayApp] sttray.exe

mRun: [intelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY

mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"

mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl

mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe

mRun: [KONICA MINOLTA magicolor 2400W STD] c:\windows\system32\MSTMON_S.EXE STARTUP

mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup

mRun: [Corel File Shell Monitor] c:\program files\corel\corel mediaone\CorelIOMonitor.exe

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"

mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\useron~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: turbotax.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211185305437

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{38EF28CB-69F3-48BB-82B6-3BD71C9BFE72} : DhcpNameServer = 192.168.0.1

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: LMIinit - LMIinit.dll

Notify: PFW - UmxWnp.Dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 relog_ap

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\user one\application data\mozilla\firefox\profiles\rzm01mev.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\firefox\components\CAFxToolBar.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

.

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2010-5-3 108112]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-16 11608]

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]

R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2010-9-24 61008]

R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2010-9-24 115792]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-16 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-16 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-16 61960]

R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2010-6-23 206160]

R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2010-9-24 146000]

R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2010-9-24 61008]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-4-1 47640]

R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2010-8-24 740160]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]

S2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]

S2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2010-9-17 301648]

S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-06-16 19:07:56 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-16 19:07:55 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-06-16 19:07:01 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro

2011-06-16 19:00:53 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-16 19:00:52 -------- d-----w- c:\program files\Avira

2011-06-16 19:00:52 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-06-15 00:48:13 -------- d-----w- c:\documents and settings\user one\application data\Malwarebytes

2011-06-15 00:48:04 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-15 00:48:03 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-06-15 00:48:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-14 23:57:37 -------- d-----w- c:\documents and settings\user one\application data\SUPERAntiSpyware.com

2011-06-14 23:57:37 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-06-14 23:57:28 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-06-14 23:15:55 -------- d-----w- C:\sh4ldr

2011-06-14 23:15:55 -------- d-----w- c:\program files\Enigma Software Group

2011-06-14 23:15:09 -------- d-----w- c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP

2011-06-13 19:17:31 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-06-13 19:17:31 -------- d-----w- c:\windows\system32\wbem\Repository

2011-06-13 16:07:22 -------- d-----w- C:\ProWin10

2011-06-10 13:25:57 -------- d-----w- c:\documents and settings\user one\application data\VirtualStore

2011-05-27 12:46:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-06-15 02:55:37 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-05-30 14:46:52 2828 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys

.

============= FINISH: 18:52:54.84 ===============

Link to post
Share on other sites

Revo worked- Following is updated MBAM log, ComboFix Report, dds.txt and attach.txt

Thanks Again!

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6904

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

6/20/2011 4:38:55 PM

mbam-log-2011-06-20 (16-38-55).txt

Scan type: Quick scan

Objects scanned: 170569

Time elapsed: 22 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix 11-06-26.01 - User one 06/26/2011 18:32:45.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1655 [GMT -4:00]

Running from: c:\documents and settings\User one\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\User one\g2mdlhlpx.exe

c:\documents and settings\User one\Start Menu\Programs\Windows XP Restore

F:\install.exe

.

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2011-05-26 to 2011-06-26 )))))))))))))))))))))))))))))))

.

.

2011-06-26 22:05 . 2011-06-26 22:05 -------- d-----w- c:\program files\VS Revo Group

2011-06-16 19:07 . 2011-06-16 19:07 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-16 19:07 . 2011-06-16 19:07 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-06-16 19:07 . 2011-06-16 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2011-06-15 02:47 . 2011-06-15 03:31 -------- d-----w- c:\documents and settings\Administrator

2011-06-15 00:48 . 2011-06-15 00:48 -------- d-----w- c:\documents and settings\User one\Application Data\Malwarebytes

2011-06-15 00:48 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-15 00:48 . 2011-06-15 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-06-15 00:48 . 2011-06-15 03:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-14 23:57 . 2011-06-14 23:57 -------- d-----w- c:\documents and settings\User one\Application Data\SUPERAntiSpyware.com

2011-06-14 23:57 . 2011-06-14 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-06-14 23:57 . 2011-06-14 23:57 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-06-14 23:15 . 2011-06-15 00:07 -------- d-----w- C:\sh4ldr

2011-06-14 23:15 . 2011-06-14 23:15 -------- d-----w- c:\program files\Enigma Software Group

2011-06-14 23:15 . 2011-06-15 00:07 -------- d-----w- c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP

2011-06-13 19:17 . 2011-06-13 19:17 -------- d-----w- c:\windows\system32\wbem\Repository

2011-06-13 16:07 . 2011-06-13 20:40 -------- d-----w- C:\ProWin10

2011-06-10 13:25 . 2011-06-10 13:25 -------- d-----w- c:\documents and settings\User one\Application Data\VirtualStore

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-13 19:21 . 2011-05-27 12:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-30 14:46 . 2008-11-07 21:54 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2011-06-10 14:43 . 2011-04-01 16:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-10 2424192]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-09-21 9138176]

"KONICA MINOLTA magicolor 2400W STD"="c:\windows\system32\MSTMON_S.EXE" [2005-06-22 184320]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-08 2595480]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-08 905056]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-08 140568]

"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808]

"Corel File Shell Monitor"="c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe" [2008-07-10 37888]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]

"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

.

c:\documents and settings\User one\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2010-9-17 541976]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-9-14 984352]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-09-28 23:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]

2009-03-27 19:27 79368 ----a-w- c:\windows\system32\UmxWNP.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

"c:\\WINDOWS\\system32\\lxczcoms.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

.

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [5/3/2010 2:12 AM 108112]

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [3/22/2010 1:58 PM 79864]

R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [9/24/2010 11:16 AM 61008]

R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [9/24/2010 11:16 AM 115792]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [9/24/2010 11:16 AM 146000]

R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [9/24/2010 11:16 AM 61008]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]

R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [8/4/2009 10:42 AM 887288]

R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [8/24/2010 12:07 PM 740160]

R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [9/17/2010 12:21 PM 301648]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/9/2010 6:54 AM 244304]

S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe --> c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [?]

S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/14/2011 8:48 PM 39984]

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: turbotax.com

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\User one\Application Data\Mozilla\Firefox\Profiles\rzm01mev.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

HKLM-Run-SigmatelSysTrayApp - sttray.exe

AddRemove-_{707EB912-C597-49D8-9460-46CC9AB03EBE} - c:\program files\Corel\Corel Painter Photo Essentials 4\MSILauncher {707EB912-C597-49D8-9460-46CC9AB03EBE}

AddRemove-{C3E7091E-E650-4951-B8A4-1FE6252D52C3} - c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\setup\ccinstaller.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-26 18:39

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(784)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\LMIinit.dll

c:\windows\system32\UmxWnp.Dll

c:\windows\system32\LMIRfsClientNP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\windows\system32\lxczcoms.exe

c:\windows\system32\PSIService.exe

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\program files\Lexmark 1200 Series\lxczbmon.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

.

**************************************************************************

.

Completion time: 2011-06-26 18:42:54 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-26 22:42

.

Pre-Run: 126,877,519,872 bytes free

Post-Run: 130,655,727,616 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 351BEFE825451BD08CCDD53534F440AD

.

DDS (Ver_2011-06-12.02) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21

Run by User one at 18:44:04 on 2011-06-26

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1607 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\lxczcoms.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

C:\WINDOWS\system32\MSTMON_S.EXE

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

C:\Program Files\Corel\Corel MediaOne\CorelIOMonitor.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

C:\Program Files\Lexmark 1200 Series\lxczbmon.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File

TB: {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No File

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [intelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY

mRun: [KONICA MINOLTA magicolor 2400W STD] c:\windows\system32\MSTMON_S.EXE STARTUP

mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup

mRun: [Corel File Shell Monitor] c:\program files\corel\corel mediaone\CorelIOMonitor.exe

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"

mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\useron~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mbcame~1.lnk - c:\program files\pixela\everio mediabrowser\MBCameraMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: turbotax.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211185305437

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{38EF28CB-69F3-48BB-82B6-3BD71C9BFE72} : DhcpNameServer = 192.168.0.1

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: LMIinit - LMIinit.dll

Notify: PFW - UmxWnp.Dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\user one\application data\mozilla\firefox\profiles\rzm01mev.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

============= SERVICES / DRIVERS ===============

.

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2010-5-3 108112]

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]

R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2010-9-24 61008]

R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2010-9-24 115792]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2010-9-24 146000]

R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2010-9-24 61008]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-4-1 47640]

R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]

R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2010-8-24 740160]

R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2010-9-17 301648]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]

S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe --> c:\program files\ca\ca internet security suite\ccschedulersvc.exe [?]

S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-14 39984]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-06-26 22:31:28 -------- d-sha-r- C:\cmdcons

2011-06-26 22:29:33 -------- d-----w- C:\ComboFix

2011-06-26 22:28:40 98816 ----a-w- c:\windows\sed.exe

2011-06-26 22:28:40 518144 ----a-w- c:\windows\SWREG.exe

2011-06-26 22:28:40 256512 ----a-w- c:\windows\PEV.exe

2011-06-26 22:28:40 208896 ----a-w- c:\windows\MBR.exe

2011-06-26 22:05:43 -------- d-----w- c:\program files\VS Revo Group

2011-06-16 19:07:56 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-16 19:07:55 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-06-16 19:07:01 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro

2011-06-15 00:48:13 -------- d-----w- c:\documents and settings\user one\application data\Malwarebytes

2011-06-15 00:48:04 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-15 00:48:03 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-06-15 00:48:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-14 23:57:37 -------- d-----w- c:\documents and settings\user one\application data\SUPERAntiSpyware.com

2011-06-14 23:57:37 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-06-14 23:57:28 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-06-14 23:15:55 -------- d-----w- C:\sh4ldr

2011-06-14 23:15:55 -------- d-----w- c:\program files\Enigma Software Group

2011-06-14 23:15:09 -------- d-----w- c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP

2011-06-13 19:17:31 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-06-13 19:17:31 -------- d-----w- c:\windows\system32\wbem\Repository

2011-06-13 16:07:22 -------- d-----w- C:\ProWin10

2011-06-10 13:25:57 -------- d-----w- c:\documents and settings\user one\application data\VirtualStore

.

==================== Find3M ====================

.

2011-06-15 02:55:37 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2011-06-13 19:21:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-30 14:46:52 2828 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys

.

============= FINISH: 18:44:16.18 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-06-12.02)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 4/24/2008 1:14:36 AM

System Uptime: 6/26/2011 6:38:30 PM (0 hours ago)

.

Motherboard: Intel Corporation | | D975XBX2

Processor: Intel® Pentium® Dual CPU E2180 @ 2.00GHz | J3E1 | 2000/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 121.715 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is FIXED (NTFS) - 233 GiB total, 189.244 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Video Controller (VGA Compatible)

Device ID: PCI\VEN_10DE&DEV_0402&SUBSYS_22861682&REV_A1\4&16020E22&0&0008

Manufacturer:

Name: Video Controller (VGA Compatible)

PNP Device ID: PCI\VEN_10DE&DEV_0402&SUBSYS_22861682&REV_A1\4&16020E22&0&0008

Service:

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: PCI Device

Device ID: PCI\VEN_11AB&DEV_6145&SUBSYS_58428086&REV_A1\4&2D8B019B&0&00E4

Manufacturer:

Name: PCI Device

PNP Device ID: PCI\VEN_11AB&DEV_6145&SUBSYS_58428086&REV_A1\4&2D8B019B&0&00E4

Service:

.

==== System Restore Points ===================

.

RP873: 6/10/2011 9:13:11 AM - System Checkpoint

RP874: 6/10/2011 10:13:34 AM - System Checkpoint

RP875: 6/11/2011 10:20:05 AM - System Checkpoint

RP876: 6/12/2011 10:32:22 AM - System Checkpoint

RP877: 6/13/2011 10:49:29 AM - System Checkpoint

RP878: 6/13/2011 12:07:59 PM - Installed ProSeries 2010

RP879: 6/13/2011 12:09:09 PM - Configured ProSeries User's Guide 2010

RP880: 6/13/2011 12:12:11 PM - Printer Driver Amyuni Document Converter 400 Installed

RP881: 6/13/2011 12:12:42 PM - Installed AnswerWorks 4.0 Runtime - English

RP882: 6/13/2011 1:12:16 PM - Installed ProSeries 2010

RP883: 6/13/2011 1:12:43 PM - Configured ProSeries User's Guide 2010

RP884: 6/13/2011 1:15:12 PM - Printer Driver Amyuni Document Converter 400 Installed

RP885: 6/13/2011 1:16:04 PM - Installed AnswerWorks 4.0 Runtime - English

RP886: 6/13/2011 1:18:44 PM - Installed ProSeries 2010

RP887: 6/13/2011 1:19:45 PM - Configured ProSeries User's Guide 2010

RP888: 6/13/2011 1:23:20 PM - Printer Driver Amyuni Document Converter 400 Installed

RP889: 6/13/2011 1:23:58 PM - Installed AnswerWorks 4.0 Runtime - English

RP890: 6/13/2011 2:55:51 PM - Removed ProSeries User's Guide 2010

RP891: 6/13/2011 3:00:47 PM - Installed ProSeries 2010

RP892: 6/13/2011 3:01:55 PM - Installed ProSeries User's Guide 2010

RP893: 6/13/2011 3:05:53 PM - Printer Driver Amyuni Document Converter 400 Installed

RP894: 6/13/2011 3:06:31 PM - Installed AnswerWorks 4.0 Runtime - English

RP895: 6/13/2011 3:15:07 PM - Restore Operation

RP896: 6/13/2011 3:50:19 PM - Installed ProSeries 2010

RP897: 6/13/2011 3:51:18 PM - Configured ProSeries User's Guide 2010

RP898: 6/13/2011 3:54:15 PM - Printer Driver Amyuni Document Converter 400 Installed

RP899: 6/13/2011 3:54:50 PM - Installed AnswerWorks 4.0 Runtime - English

RP900: 6/14/2011 4:34:52 PM - System Checkpoint

RP901: 6/14/2011 7:15:53 PM - Installed SpyHunter

RP902: 6/14/2011 8:07:55 PM - Removed SpyHunter

RP903: 6/14/2011 11:33:38 PM - Restore Operation

RP904: 6/16/2011 1:45:06 PM - System Checkpoint

RP905: 6/17/2011 2:24:13 PM - System Checkpoint

RP906: 6/18/2011 3:24:11 PM - System Checkpoint

RP907: 6/19/2011 4:24:11 PM - System Checkpoint

RP908: 6/20/2011 5:16:59 PM - System Checkpoint

RP909: 6/20/2011 6:32:45 PM - Removed CA Parental Controls

RP910: 6/20/2011 6:34:52 PM - CA Internet Security Suite

RP911: 6/20/2011 6:38:21 PM - CA Internet Security Suite

RP912: 6/20/2011 6:49:18 PM - CA Internet Security Suite

RP913: 6/20/2011 6:57:27 PM - CA Internet Security Suite

RP914: 6/20/2011 7:11:23 PM - Installed Default.

RP915: 6/20/2011 7:34:03 PM - CA Internet Security Suite

RP916: 6/20/2011 7:34:55 PM - CA Internet Security Suite

RP917: 6/26/2011 6:07:03 PM - Revo Uninstaller's restore point - CA Internet Security Suite

RP918: 6/26/2011 6:07:26 PM - CA Internet Security Suite

.

==== Installed Programs ======================

.

ABBYY FineReader 6.0 Sprint

Acrobat.com

Acronis True Image Home

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Flash Player 9 ActiveX

Adobe Reader 9.4.4

Amazon Software Downloader

AnswerWorks 4.0 Runtime - English

Apple Application Support

Apple Software Update

BlackBerry Desktop Software 6.0

Bonjour

CA Personal Firewall

Color Efex Pro 3.0 Corel Sampler

Corel MediaOne

Corel Paint Shop Pro Photo X2

Corel Painter Photo Essentials 4

COWON Media Center - jetAudio Basic VX

Defraggler

Digital Photo Navigator 1.5

Document eSort Components

Everio MediaBrowser

GoToMeeting 4.0.0.320

High Definition Audio Driver Package - KB888111

HIPSCC

Hitman Pro 3.5

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

ImageSkill Background Remover 3

Intel Audio Studio 2.0

Intel® PRO Network Connections 12.1.12.0

Intuit Entitlement Client

Java Auto Updater

Java 6 Update 21

Java 6 Update 7

KONICA MINOLTA magicolor 2400W

Lexmark 1200 Series

Lexmark Fax Solutions

LogMeIn

Malwarebytes' Anti-Malware version 1.51.0.1200

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Office 2007 Primary Interop Assemblies

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Software Update for Web Folders (English) 12

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218

Microsoft Visual Studio 2005 Tools for Office Runtime

Mozilla Firefox 4.0.1 (x86 en-US)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

OpenOffice.org 3.2

PHOTORECOVERY LE

ProSeries 2007

ProSeries 2008

ProSeries 2009

ProSeries 2010

ProSeries User's Guide 2010

QuickBooks

QuickBooks Pro 2009

QuickTime

Revo Uninstaller 1.92

Safari

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2183461)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360131)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2416400)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2497640)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956390)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB963027)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982381)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SigmaTel Audio

SmartFTP Client

SmartFTP Client 3.0 Setup Files (remove only)

SUPERAntiSpyware

SupportSoft Assisted Service

TurboTax Deluxe 2007

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB976749)

Update for Windows XP (KB978207)

Verizon Online DSL

Visual Studio 2005 Tools for Office Second Edition Runtime

VLC media player 0.9.6

WebFldrs XP

Winamp

Windows XP Service Pack 3

.

==== Event Viewer Messages From Past Week ========

.

6/26/2011 6:23:56 PM, error: Service Control Manager [7000] - The CA Common Scheduler Service service failed to start due to the following error: The system cannot find the file specified.

6/26/2011 6:02:46 PM, error: Dhcp [1002] - The IP address lease 192.168.0.100 for the Network Card with network address 001CC02BF00C has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

6/20/2011 7:18:38 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec KmxAgent KmxFile KmxFw KmxStart MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL ssmdrv Tcpip

6/20/2011 7:18:38 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

6/20/2011 7:18:38 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/20/2011 7:18:38 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/20/2011 7:18:38 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

6/20/2011 7:18:38 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/20/2011 7:18:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

6/20/2011 7:17:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

6/20/2011 7:17:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

6/20/2011 7:17:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service UmxPol with arguments "-Service" in order to run the server: {4C89C3FD-5F94-4678-BBB5-F64759C3C54A}

6/20/2011 6:49:31 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

6/20/2011 4:14:05 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.

.

==== End Of File ===========================

Link to post
Share on other sites

Posted Wrong MBAM log - this is correct - SORRY....

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6955

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

6/26/2011 6:19:30 PM

mbam-log-2011-06-26 (18-19-30).txt

Scan type: Quick scan

Objects scanned: 173831

Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Thank you yet again!

It looks as if all programs re-appeared after running combo-fix, etc. The ESET Scanner found one last trojan file. I have not run any programs and have kept the infected computer offline out of paranoia - I use it moset often for banking, tax work, etc. I keep data files on separate physical drives (internal F: or remote) which do not appear to have been affected and was waiting for an all clear before pulling up data files.

In addition to running a Secunia scan and updating software, I plan on ditching the CA and migrating to Malware pro and Trend-micro Titanium (for firewall and anti-virus) - unless there is something else you would recommend?

Appreciate your input!

log.txt and checkup.txt follow-

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=7e6355b2de4f574eb4c676dffd0cfe1f

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-07-01 01:50:28

# local_time=2011-06-30 09:50:28 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=4864 16777215 100 0 97375222 97375222 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=118137

# found=1

# cleaned=1

# scan_time=2278

C:\System Volume Information\_restore{038BE3DB-E75A-4E10-A979-49F9C3E0412C}\RP918\A0076097.sys Win32/Olmasco.E trojan (deleted - quarantined) 00000000000000000000000000000000 C

Results of screen317's Security Check version 0.99.17

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

ESET Online Scanner v3

CA Personal Firewall

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 21

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 9 (Out of date Flash Player installed!)

Adobe Flash Player 10.3.181.22

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java™ 6 Update 21

Java™ 6 Update 7

Adobe Flash Player 9 (Out of da

Restart your computer.

Get the latest version of Java.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Great news!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.